SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J. D. Tygar Department of Electrical Engineering and Computer Sciences University of California, Berkeley

Agenda Introduction to Sensor Network Sensor Network Hardware and Requirements SPINS Security Blocks SNEP μTESLA Implementation Evaluation Applications Conclusions

Introduction to Sensor Network

Introduction to Sensor Networks What are Sensor Networks? A wireless sensor network consists of a number of sensors spread across a geographical area. Each sensor has wireless communication capability and some level of intelligence for signal processing and networking of the data. Sensor monitor conditions such as: Temperature Motion Sound Pollution Pressure Chemical concentrations Vibrations Illumination

Introduction to Sensor Networks Sensor Network Applications

Introduction to Sensor Networks Common Areas of Research Lifetime maximization Robustness and fault tolerance Self-configuration Mobility (when sensor nodes or base stations are moving) Security

Sensor Network Hardware & Requirements

Sensor Network Hardware & Requirements The Sensor Network Components Nodes - Small battery powered device. Base Station – A more powerful device which provides the connection to an outside network.

Sensor Network Hardware & Requirements The Sensor Network Limitations The hardware constraints of the nodes make most of the known security protocol impractical. For example, the working memory of the sensor node is insufficient to even hold the variables that are required by asymmetric cryptographic algorithms, such are RSA or Diffie-Hellman. Existing broadcast authentication are also impractical, as the communication over head of existing protocols requires 50-1000 bytes per packet.

Sensor Network Hardware & Requirements System Assumptions The basic communication method is broadcast RF transmissions. The sensor nodes establish a routing forest, with a base stations and the root of each tree. The base stations has similar capabilities to a node, except it has much more energy and much more memory space. Basic communication patterns are: Base Station to Node (e.g. Request from sensor) Node to Base Station (e.g. Sensor readings) Base Station Broadcast (e.g. Routing beacon)

Sensor Network Hardware & Requirements Security Assumptions Individual nodes might be compromised. The base station is trusted by all nodes. At creation, each node shared a secrete master key which it shares with the base station. Nodes and base station have a shared clock which is trusted to have a limited drift.

Sensor Network Hardware & Requirements Security Requirements Data Confidentiality – Eavesdroppers should not be able to read the message content. Semantic Security – Protection against an eavesdropped which obtains plaintext-cipher text pairs. Data Authentication – Verifying the message originated from the claimed source. Data Integrity – Knowing the information has not been tempered by an adversary. Data Freshness – Knowing the data is ’fresh’ Weak Freshness – Message ordering. Strong Freshness – Knowing a message was received in response to a message send earlier.

SPINS – Secure Protocol for Sensor Networks

SPINS – Secure Protocol for Sensor Networks SPINS Building Blocks SPINS is built out of 2 main building blocks – SNEP and μTESLA. SNEP – provides data confidentiality, 2-way party data authentication, integrity and freshness. μTESLA – Provides authentication for data broadcast.

SPINS – Secure Protocol for Sensor Networks Notations A, B – The communication nodes NA – A random bit string generated by A M1| M2 – A concatenation of message M1 and M2 KAB – A symmetric secret key shared by A and B {M}KAB – Message M encrypted by key KAB {M} {KAB, IV} – Message M encrypted by key KAB and the initialization vector IV

SPINS – Secure Protocol for Sensor Networks SNEP – Message Format Kencr, Kmac are derived from the shared master key. C – A counter value, which is shared by both sides (but not transmitted). The value of ‘C’ is incremented after each block. MAC – Message authentication Code.

SPINS – Secure Protocol for Sensor Networks SNEP – What did we achieve? Data Authentication – the MAC ensures the message is authentic. Semantic Security – Achieved by the use of the counter value, which is long enough not to be repeated in a lifetime. Replay Protection – Achieved by using the counter. Weak Freshness – Using the counter value, messages can be ordered. Overhead is only 8 bytes per message

SPINS – Secure Protocol for Sensor Networks SNEP – Achieving Strong Freshness In this format, we also achieve strong freshness. Notes that the value of NA is not sent as a part of the message data, rather it is only used in the MAC calculation.

SPINS – Secure Protocol for Sensor Networks μTESLA – Authenticated Broadcast Authenticating a broadcast using a symmetric key is problematic. Assuming an individual node can be compromised, if a ‘rogue’ node knows the symmetric key used to authenticate the broadcast messages, it can impersonate the broadcast source. Most broadcast authentication proposals are impractical for our limited resourced network, either because they use long asymmetric digital signatures, or require too much computational overhead. μTESLA achieves broadcast authentication with symmetric primitives, with asymmetry achieved through time delayed release of keys.

SPINS – Secure Protocol for Sensor Networks μTESLA – Protocol Overview Time is divided into intervals, which are known to all parties. We also remember that one of the system assumptions is that nodes and base station have a common clock which is synchronized (with a limited drift). The sender (the base station) sends packets which are signed which a MAC key which is not yet known to the receivers at the time they receive the message. The receiving node stores the packets. At a later time interval, the sender will send the MAC key for a previous time interval, and the receiver would be able to authenticate the MAC on the packet.

SPINS – Secure Protocol for Sensor Networks μTESLA – Protocol Overview (Cont.) Each MAC key is a key of key chain which is generated using a one-way function. The sender generates randomly the key Kn (the key for time interval n). The key chain is generated as follows: Ki = F(Ki+1) Note that a node which receives Ki cannot compute Ki+1 due to the nature of the one-way function. However it can easily verify the correctness of Ki+1 when it is received by testing that Ki = F(Ki+1).

SPINS – Secure Protocol for Sensor Networks μTESLA – Example We assume K0 is known in an authenticated way, and serves as the commitment to the key chain. Messages P1 and P2 are signed using K1, P3 is signed using K2 and so on… Assuming a two intervals delay, at time interval 3 the sender will reveal MAC key K1. The node will be then able to verify the K0 = F(K1), and verify the messages.

SPINS – Secure Protocol for Sensor Networks μTESLA – More Detailed Send setup – Sender needs generate Kn, then compute and store the keys of the key chain using a one-way function (For example – MD5). Bootstrapping a new receiver means the receiver needs to know one authentic key of the key chain. Using this key it will later be able to authenticate all the next keys in the chain. Time synchronization can be achieved as follows:

SPINS Implementation

SPINS Implementation Block Cipher Due to the limited program store, all cryptographic primitives are derived from a single block cipher. Due to the stringent resource constraint, many known block cipher algorithms (like AES and DES) are inapplicable. RC5 was chosen due to its small code size and high efficiency. Still, the RC5 common libraries are too large to fit into the platform. A lighter version with reduced functionality provided 40% code size reduction.

SPINS Implementation Encryption Function The block cipher was chosen to work in counter mode (CTR). The major benefits are that the counter provides semantic security, and that this mode does not require padding for messages with varying length.

SPINS Implementation MAC Creation MAC is produced using a CBC-MAC cipher block mode.

SPINS Implementation Random Number Generation and Key Setup Random number are generated using the MAC in the following way: NA = MAC (Krand, C) As mention before, all keys are derived from a master key the node and the base station share. This is also done using the MAC function: Fk(x) = MAC (MasterKey, x)

SPINS Evaluation

SPINS Evaluation Code Size

SPINS Evaluation Energy Cost

SPINS Applications

SPINS Applications Ad-Hoc Routing Protocol The basic idea is to send periodic beacons. A node which hears the beacon from the base station forwards the beacon to other nodes. The key disclosure messages used in μTESLA can serve as the beacon from the base station. Late key disclosure and key authentication can verify that no attacker injected false messages to the network.

SPINS Applications Node to Node Key Agreement Note that this protocol uses the strong freshness mechanism. Another nice feature is that most of the communication is made by the base station and not by the nodes.

Conclusion

Conclusion The article suggests that security for sensor networks is feasible even when using extremely limited sensor platform. There are still several issues which are not answered by the suggested protocol, such as denial-of-service attacks.

Questions?